We learned this week from the British government that almost a third of UK firms with digital supply chains are vulnerable to cyberattacks. Many lack even basic protective measures, and most of them are small-to-medium-sized enterprises (SMEs).
It’s a similar story elsewhere. A recent Accenture study showed that in the US, 43 per cent of cyberattacks were aimed at SMEs, but that just 14 per cent of such companies are adequately protected. Those are scary numbers, on both sides of the Atlantic.
It’s no secret that digital supply chains are especially vulnerable to cyberattack, because they have so many moving parts. In an unprotected company, every link in its supply chain is potentially a weak one - an entry point for malware, ransomware or denial of service attacks.
Third-party code 'cybersecurity problem'
Ehud Amiri, product management VP with cloud security specialists Aqua Security, says the reality of the digital supply chain is that organisations rely heavily on third-party code, potentially introducing risky components into their applications.
“This provides plenty of opportunities for attackers to target legitimate software through third parties and embed themselves into the development process,” says Amiri. “Malicious actors have set their sights on poisoning the well, by targeting where applications are developed or their building block components.
He adds: “Aqua Security’s threat research has detected varying levels of attack sophistication and evasion techniques. For example, malicious container images could be used as part of a supply chain attack targeting cloud native environments.”
Amiri says the higher up the supply chain attackers go, the better their chances of success.”This is why more-advanced attackers look for widely used packages that might reappear in many different applications. If an organisations’ supply chain is penetrated, attackers can use their foothold to increase their blast radius and escape into adjacent environments.”
Supply chain cybersecurity is mostly housekeeping
So far, so alarming. Yet put yourself in the shoes of the poor old SME CEO for a moment. We’ve had the pandemic, supply chain disruptions, Brexit (if you’re UK-based), inflation and worker shortages. Most CEOs (and C-suite execs generally) have never been so under the pump. It’s easy to see why cybersecurity might slip down that ever-growing list of business priorities.
After all, cybersecurity is devilishly expensive, especially in the current economic climate. Right?
Well, it can be, but the good news for SMEs is that they can protect themselves against all but the most sophisticated of cyberattacks for free. How so? Because most cyber-vulnerability stems from poor housekeeping. For most, becoming cyber-secure amounts to little more than choosing optimal software and firmware settings, and being meticulous about passwords and accounts.
But what does being ‘adequately protected’ actually look like when it comes to IT security settings and protocols?
To find out, I put the UK Government’s Cyber Essentials scheme through its paces. Just ten minutes later, I was the proud owner of a PDF cybersecurity action plan, comprising simple steps and measures that ought to take a committed business no more than a few weeks to implement.
Cyber Essentials is a Government-backed and industry-supported scheme that provides a tailored statement of the basic controls businesses need to protect themselves.
Developed and operated by the National Cyber Security Centre (NCSC), it’s a crucial step to a more secure network. The NCSC says implementing its suggestions will protect your business against 80 per cent of cyberattacks.
Although the service is available only to UK-based businesses, its advice is universal. And the advice I was given is included in full below.
Cyber Essentials Readiness Plan
(NOTE: I told Cyber Essentials that my company was in retail and that I had 250 employees. It is a Q&A-based system, and I answered ‘No’ to all its questions, so what follows is the advice that a completely unprotected company would need to follow.
Has someone in your organisation a list of all hardware devices that you use. For instance types of laptops, smart phones, firewalls, routers?
Action item: It would be a great idea to create a list of all devices in your organisation. In addition to having financial worth, devices also hold information, which is valuable to both you and your customers. This might mean talking to staff, checking purchase requests and receipts and working through each office in a detailed way. It is important to know about every device that holds information which you wouldn't want to be lost.
Do you have a list of all software / firmware used on devices within your organisation?
Action item: Knowing what software and firmware you have and whether they are supported is really important. Software and firmware are supported by the manufacturer for a period of time after they have been developed. This support means that if a mistake or weakness, known as a vulnerability, is discovered in the product, the vendor will provide protection. Unsupported software can leave you vulnerable to cyberattacks.
Create a list of all software and firmware used within your organisation. This might be firmware found on your router or firewall, it might be the versions of operating system (such as Windows or MacOS), browser platforms (such as Adobe Flash) or it may be your suite of office tools, (such as Microsoft Word, DropBox or Hootsuite).
On your firewalls and internet gateways have you changed all the passwords from the default ones, and are they difficult to guess and more than eight characters?
Do you have a password changing process in place?
Action item: Passwords can become compromised, when people leave a company for example. Look at having a simple process in place for changing passwords when they are known by people who shouldn't know them.
Do you review services that are accessible externally?
Action item: Your organisation’s devices connect to the internet through a gateway. A gateway in a network has the same job as a gateway in a field. It is there to keep some things in, some things out and to allow specific things to pass through.
Always review what services from within your network you expose to the outside world, and how many people you are allowing to use that service. A ’bot’ is a software application that runs automated tasks over the internet. Criminals use this tool to scan the internet for open ports and services that are available for use and could be exploited. If there was a vulnerability or misconfiguration, they would know before you.
Always review whether you have a requirement for an open port, and if you do, can you configure this to as few people as possible? Make sure that you can continually update those services exposed to the outside world. If you are unsure about this, seek guidance from a professional who can perform a security scan against your network. Here’s more information and guidance on firewalls.
Have you configured your internet routers or your hardware firewalls to block all other services being advertised to the internet
Action item: Get someone to review your gateway or firewall configuration to ensure that only services with a valid business need are exposed. Any services that are not required to be exposed to the internet, should be blocked.
Have you been through the devices that you have and disabled software that you don’t use?
Action item: A typical ‘out-of-the-box’ set-up might enable an administrative account with a standard, publicly known default password. There is often one or more additional user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications or services, sometimes, even a default file share. All of these present security risks. Like setting sail in a leaky boat, it’s wise to make sure your system is water-tight before you go any further. Review your devices with a view to removing services, software or applications that are not required.
This might include a server running a default web server that you don’t use, additional accounts on some devices that are not required, or any additional software that you don’t use. Here’s more information on removing unnecessary software.
Do you have something written down to advise people about creating good passwords, what their length should be, and how important it is to use different passwords for different systems?
Action item: We need our passwords to be secure and complex so that people cannot guess them to get onto our system. A policy on passwords is needed even if you are a sole trader.
Do you make sure that each user requires their own username and password and there are no shared username or passwords?
Action item: Sharing usernames and passwords is not a good idea. If one of the users did something which was not allowed, it would not be possible to determine who it was, or even if it was an authorised user. When organisations want to share user accounts the software or the processes can be changed to achieve the same result safely without actually sharing user accounts. This makes the organisation more secure.
Are all of your computers, laptops, and mobile phones protected against malware?
Action item: Malware is a shortened form of malicious software. This is software that is designed to steal information, to damage information or to prevent you from delivering information. One of the ways of protecting your devices and network against malware is to keep your software up-to-date with the latest software patches. Another method is to ensure you have antivirus software installed and updating.
Have you a process for tracking user accounts of people who join or leave?
Action item: Consider developing a movers, leavers or joiners process. When someone joins your organisation, their account permissions should be recorded and approved. When they leave, their account should be disabled, or removed. Here is more information on managing computer accounts.